http://www.nytimes.com/library/tech/99/03/cyber/articles/08defense.html
March 8, 1999
Hacker 'Attacks' on Military Networks May Be Closer to Espionage
By PETER WAYNER
In recent weeks, Government officials involved with defense have described
a new kind of "cyberwar" being fought on the Internet, with unknown
hackers unleashing relentless assaults on military computers.
"Are we under constant attack? Absolutely," said Representative Curt
Weldon, a Pennsylvania Republican who heads the Military Research and
Development Subcommittee of the House Armed Services Committee, in a
telephone interview on Friday. Weldon held a closed-door briefing last
month at which military officials told House members that the Pentagon was
facing new threats from hackers.
"Attack" is a strong word, one that might bring to mind the Japanese
strike on Pearl Harbor. But some computer security experts stress that
while the hacker activity that the House heard about is a potential
threat, calling it an attack could be an overstatement. Much of it appears
to be something closer to cold war espionage than a bombing run.
The Naval Surface Warfare Center in Dahlgren, Va., first detected the
unusual activity that John J. Hamre, the Deputy Secretary of Defense,
described to the House last month. Fred Kerby, the information system
security manager at the center, characterized it as a "low and slow scan,"
designed to map out military computer networks without attracting
attention.
Drew Dean, a computer security expert at Xerox's Palo Alto Research
Center, said it could be misleading to characterize this kind of scan as a
full attack.
"It's a precursor to attack," he said. "If someone I didn't know scanned
my machine, I would assume it was an unfriendly act." Dean noted, however,
that there are often legitimate and innocent reasons for a computer user
to check out another machine across the Internet.
In fact, the Norwegian Supreme Court was recently asked to rule on whether
or not such scanning was illegal. The court decided that it was not,
because it was similar to a knock on the door, not forced entry.
A hacker wanting to learn something about an organization's computer
network might begin by scanning the network with the "ping" protocol,
which sends a small packet of data to a computer and asks it to respond to
see if it is connected to the network. This is equivalent to calling a
list of sequential telephone numbers and seeing who answers.
Kerby at the Naval Surface Warfare Center said that most military sites
routinely block out ping requests. "We don't allow them through," he said.
"We regard them as an ankle biter... We just note that they came up and
rang the door bell, but we had everything secured before they got here."
Some hackers use more sophisticated probes. It is possible, for instance,
to see if a computer accepts electronic mail by sending a trial message.
This information can be exploited, in some cases, because older versions
of the popular electronic mail program known as Sendmail have numerous
security holes that could give a hacker access to a system. Robert Tappan
Morris Jr., then an undergraduate at Cornell University, used one such
hole to launch a "worm" program that crippled the Internet in 1988.
In the case of the latest probes, the hackers tried to conceal the scale
of their effort by sending requests from a number of different computers.
"This is what's known as a coordinated attack," said John Green, a senior
security analyst at the Naval Surface Warfare Center. "It's not detected
by most commercial detection systems. What made this significant is that
it was low and slow. We would get very few packets from each site."
The Dahlgren center discovered these distributed probes with a new
surveillance system they designed called "Shadow," which looks for
patterns in data traffic. In this case, it analyzed packet flows over
several months and revealed that many machines were being completely
probed.
"Instead of hitting 65,536 ports on one computer, they'll be probing one
or two ports on each computer, then one or two on another computer,"
Kerby said. After some time, all of the ports on each computer would have
been systematically probed by several machines acting in concert.
"Scanning or probing is just a reconnaissance effort," Green said. "Once
they gather a map of your network, they can then go back and target the
machines that they've discovered."
Assessing the real danger of this activity is difficult to do. Many people
use tools like the ping protocol to test and debug their networks. In
fact, those probing the military networks may be using the same tools used
routinely by the network administrators, because they have both legitimate
and illegitimate uses.
Determining the scope of the hackers' effort is also hard, in part because
the Department of Defense refuses to say much about them. The
investigation is still unfolding and is also classified.
The Pentagon has said that, as is the case with the vast majority of
hacking attempts, the recent probes did not result in the penetration of
any computers storing sensitive information. Also, the Dahlgren center
said it found a way to thwart this method of probing, and has told all
military services about the remedy. It has posted the Shadow software on
its Web site so any organization can use it freely.
Some security experts and critics of the military budget dismiss the
recent talk of "cyberwar" as a public relations effort, designed to get
Congress to increase defense spending. They point out that truly sensitive
government computers are not even connected to the Internet. It is
important to ask, they say, whether the activity described to Congress was
an attempt to launch missiles or just probes of innocent desktop computers
used to surf the Web.
"It would not surprise me if this was a public relations maneuver," said
Winn Schwartau, a security consultant and author of the book "Information
Warfare," in a telephone interview on Friday.
Schwartau said, however, that the nation is not spending enough to defend
itself from enemies armed with computers and hacking expertise. "Maybe
they're being more open about it to help with the overall awareness that
America is sorely lacking," he said.
"Is surveillance an offensive activity?" Schwartau asked. "Under the
cold-war mentality, it was. A U2 surveillance of Russia was considered
offensive. Some satellite surveillance was considered offensive."
Military computers have long been a favorite target of members of the
hacker underground wanting to show off their skills. But Representative
Weldon said it is important not to dismiss all hacking attempts as the
work of computerized joyriders.
"I can tell you, I know there are countries out there that are putting
money into information warfare," he said. "You know, they can't match our
military, so they take what they have: high-performance computers and
people who know systems. Then you work on compromising our systems."
Weldon noted that the Defense Department is not the only target of
malicious hackers. "We know of banks who've had their firewalls broken and
money transferred out, and they're not going to talk about it," he said.
The private sector needs to cooperate more with the government in this
area, he said.
-o-
Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]